Privacy Policy

This Policy applies to the processing of personal data in connection with your use of our website, web application, API, workspaces, alerts, AI features, reports, WhatsApp Analytics features, OAuth integrations, and customer support channels. It covers personal data that we receive directly from you, collect automatically through the operation of the service, obtain from third-party services that you connect, or process as part of monitoring public sources within the functionality of FleyRadar.

The Policy applies both to individual users and to users acting on behalf of a company, agency, brand, or other organization. If you use FleyRadar on behalf of an organization, you confirm that you are authorized to provide instructions regarding the relevant workspace and connected services. In some situations, your organization may act as an independent controller for the data it uploads or configures inside the service, while FleyLab remains the controller for account data, billing, platform security, product telemetry, and other processing necessary to run the service.

• The Policy applies to data processed through service pages, product interfaces, generated reports, email and Telegram alerts, API usage, and copilot-style interactions.
• The Policy does not govern the privacy practices of third-party websites, platforms, channels, communities, or sources that you monitor or connect to the service; those parties publish and control their own terms and notices.
• If a separate enterprise contract, order form, or data processing agreement applies, that document controls to the extent of a direct conflict, and this Policy continues to apply to everything not specifically addressed elsewhere.

By using FleyRadar, you acknowledge this Policy. If you do not agree with it, you should stop using the service. We recommend reviewing this page periodically because our integrations, feature set, retention periods, and legal obligations may evolve over time.

FleyLab, Baku, Azerbaijan, is the operator and data controller for the personal data described in this Policy unless a separate agreement states otherwise. This means that we determine the purposes and principal means of processing for account creation, authentication, workspace management, AI analysis, reports, security logs, customer support, and subscription administration.

You can contact us about privacy matters at privacy@fleylab.com and about legal notices or legal matters at legal@fleylab.com. As of the effective date of this Policy, FleyLab has not appointed a separate Data Protection Officer because we are a small enterprise and the nature or scale of our processing does not create a mandatory DPO requirement under the laws that apply to us. Instead, privacy governance and data subject request handling are managed by responsible members of our management, engineering, and legal functions.

• Privacy contact: privacy@fleylab.com
• Legal contact: legal@fleylab.com
• Postal address: FleyLab, Baku, Azerbaijan

If you use the service as a member of an organization, that organization may also be an independent controller with respect to the monitoring targets, uploaded datasets, keyword lists, and other workspace instructions it provides. In those situations, FleyLab may act as a processor for certain activities carried out on the customer's behalf, while continuing to act as a controller for security, anti-abuse, billing, legal compliance, and the defense of our rights.

For purposes of this Policy, the following terms have the meanings below. If a capitalized term is not defined here, its meaning may be explained in our Terms of Use, product documentation, or a separate contract. Singular terms include the plural where appropriate from the context.

• "Personal data" means any information relating to an identified or identifiable natural person, including account details, contact information, technical identifiers, uploaded content, and data that can indirectly point to a person.
• "Processing" means any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, analysis, retrieval, use, disclosure, restriction, deletion, and destruction.
• "Data subject" means the natural person to whom personal data relates, such as an account holder, workspace user, customer contact, person included in an uploaded WhatsApp export, or person mentioned in a support ticket.
• "Controller" means the party that determines the purposes and means of processing personal data.
• "Processor" means the party that processes personal data on behalf of a controller and under the controller's instructions.
• "Consent" means a freely given, specific, informed, and unambiguous indication of the data subject's wishes where consent is the required legal basis.
• "Profiling" means automated processing of personal data to evaluate certain aspects relating to a person, such as likely sentiment, topical association, or relevance category.
• "AI Output" means an automatically generated result such as a summary, label, recommendation, digest, topic cluster, action brief, or other model-assisted output.

These definitions are provided for convenience and do not limit the meaning that mandatory privacy laws may assign to the same terms. Where applicable law defines a term differently, the legal definition controls.

We collect only the categories of data that are reasonably necessary to provide FleyRadar, support user accounts, generate analytics, secure the platform, and comply with mandatory legal obligations. The exact data collected depends on your plan, connected sources, enabled AI features, authentication method, and privacy settings.

• Account data: email address, name, company name, role, interface language, time zone, country, communication preferences, privacy settings, and other profile attributes.
• Authentication data: password hash created through Supabase, session tokens, refresh tokens, JWTs, login timestamps, email verification state, password reset events, and security-related session metadata.
• Subscription and billing data: plan tier, subscription status, renewal and cancellation dates, Paddle customer ID, transaction identifiers, currency, tax status, invoices, and payment history. We do not receive or store full payment card numbers.
• Workspace configuration data: keywords, exclusions, search operators, monitored sources, competitors, brands, alert rules, taxonomy, scoring rules, relevance settings, digest options, white-label preferences, and team collaboration settings.
• Monitoring results: mentions, reviews, snippets, links, author or channel data, sentiment labels, emotions, topics, clusters, translations, relevance scores, feed categories, summary blocks, influencer metrics, and derived values such as AVE where enabled.
• OAuth tokens and integration data: access tokens, refresh tokens, related account IDs, scopes, expiry data, refresh logs, and integration states for Meta, Google Business, and other supported services. These tokens are encrypted with AES-256.
• Uploaded content: WhatsApp exports, CSV files, lists of monitored entities, brand assets, logos, presentation templates, and related metadata. For WhatsApp Analytics, configurable anonymization, phone number removal, and PII masking can be applied.
• AI outputs and copilot records: sentiment classifications, emotion and intent labels, topic extraction, digests, action briefs, clustering results, copilot conversations, and prompts or system instructions needed to generate a result.
• Reports and export assets: PDF and PPTX reports, branded presentation settings, themes, fonts, logos, embedded images, white-label preferences, and report generation history.
• API keys and API usage data: hashed API keys, scopes, issuance and revocation timestamps, endpoint call logs, rate counters, response timing, and error details.
• Technical and diagnostic data: IP address, User-Agent, limited browser or device characteristics, timestamps, request IDs, error logs, performance traces, Server-Timing headers, and security events.
• Communication data: email alert settings, Telegram chat ID for notifications, support correspondence, incident records, data deletion requests, and similar account administration communications.

We do not intentionally seek special categories of personal data. If you upload material that contains sensitive or highly personal information, you are responsible for having a valid legal basis to provide it to us, and we will process it only in line with your instructions, our service functionality, and this Policy.

We receive data in several ways. The primary source is information that you provide directly when you register, set up a workspace, connect integrations, upload files, generate reports, or interact with copilot-style features. We also receive data that you choose to include in support requests, onboarding conversations, billing communications, and similar customer interactions.

A second category is technical data that is collected automatically when you use the service. We log sign-in events, session history, operation timing, error traces, IP addresses, general client characteristics, and other minimal telemetry required to operate FleyRadar securely and reliably. This telemetry is not used for ad targeting.

• Directly from you: registration forms, profile details, workspace settings, support conversations, demo requests, uploaded files, WhatsApp exports, and privacy instructions.
• Automatically: session cookies, request logs, Server-Timing headers, authentication logs, rate limiting events, webhook signature verification results, and related security signals.
• From connected third-party services: Meta Graph API, Google Business Profile API, VK API, YouTube Data API, and other integrations for which you grant access or add a source through the product.
• From public sources: Telegram channels through MTProto, RSS feeds, Reddit, 2GIS, Google Reviews, public web pages, LinkedIn through aggregated news discovery, TikTok through RSSHub, and comparable publicly accessible publication channels.
• From our service providers: Supabase provides authentication and storage events, and Paddle provides subscription status, invoicing information, and payment confirmations.

We do not buy consumer datasets from data brokers, use ad-tech exchanges, or deploy third-party marketing pixels for hidden behavioral tracking. If a data point is not needed to provide a feature, we try not to request or retain it.

We process personal data only for legitimate, specified, and proportionate purposes connected with providing and improving FleyRadar. Each processing activity is tied to a service need, your selected features, your instructions, or a legal or security requirement.

• Service delivery: creating and maintaining accounts, authenticating users, managing workspaces, running monitoring jobs, collecting mentions, aggregating reviews, and powering dashboards and feeds.
• AI analysis: performing sentiment analysis, topic extraction, emotion and intent classification, digest generation, action brief creation, relevance scoring, influencer analysis, and copilot responses.
• Alerts and communications: sending monitoring alerts, scheduled digests, account notices, security messages, and report delivery by email or Telegram.
• Reports and exports: generating PDF and PPTX reports, storing report templates, and applying white-label settings and brand assets.
• Billing and commercial administration: managing subscriptions, verifying payment status, preventing billing fraud, and maintaining accounting and tax records.
• Security and abuse prevention: detecting suspicious logins, enforcing rate limits, verifying webhook signatures, protecting against SSRF, and investigating misuse.
• Support and product improvement: debugging errors, analyzing performance, responding to customer requests, improving quality, and refining models, rules, and user experience.
• Compliance and rights protection: responding to lawful requests, keeping mandatory records, resolving disputes, and protecting the legal rights of FleyLab, our customers, and our users.

If we need to use data for a new purpose that is materially incompatible with the original purpose, we will assess the legal basis for that use and, where required, provide additional notice, seek consent, or allow you to disable the relevant feature.

Depending on the context, we rely on more than one legal basis to process personal data. Not every processing activity requires consent. In many cases, data is needed so that we can perform our contract with you, secure the service, comply with the law, or pursue legitimate interests that are not overridden by your rights and freedoms.

• Contract performance: when we create your account, authenticate you, store workspace settings, process monitoring jobs, generate reports, or provide plan-based features.
• Consent: when you voluntarily connect an OAuth integration, upload WhatsApp exports, enable particular AI features, provide optional profile data, or ask us to process materials containing data that is not required for the default service flow.
• Legitimate interests: when we secure the platform, prevent abuse, perform minimal telemetry, maintain logs, improve resilience, defend against claims, and improve classification quality or user experience without advertising tracking.
• Legal obligation: when we need to retain accounting records, respond to lawful government requests, or meet tax, sanctions, audit, or similar mandatory obligations.
• Legal claims and defense: when processing is necessary to establish, exercise, or defend legal claims involving FleyLab, our users, or our customers.

When we rely on legitimate interests, we consider the nature of the data, user expectations, the effect on privacy, and whether technical safeguards and data minimization reduce the impact. Where applicable law requires consent, you may withdraw that consent at any time, but withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

We do not sell your data and we do not disclose it arbitrarily. We share data only where needed to provide service functionality, follow your instructions, operate integrations, secure the platform, or comply with the law. Our service providers are selected for functional necessity, reviewed for security, and bound by contractual confidentiality and data protection commitments.

• Supabase: account data, password hashes, authentication tokens, workspace database content, access logs, and session metadata. Used for authentication, PostgreSQL storage, and Row Level Security controls.
• Paddle: payer email, billing country, tax details, subscription plan, subscription status, Paddle customer ID, transaction identifiers, and refund data. Used for subscription management, billing, and accounting. Full card data remains with Paddle.
• Google Cloud / Gemini: content fragments, prompts, summaries, and task metadata needed for sentiment analysis, topic extraction, digest generation, and other AI-driven features.
• OpenAI: mention text, prompts, workspace context, and related instructions when you use features backed by relevant models, such as brief generation, relevance reasoning, or copilot tasks.
• Anthropic / Claude: request data and content sent through our AI pipeline for analytic reasoning, content structuring, and user-facing AI responses.
• Meta Graph API: access tokens, account or page IDs, scope metadata, and Facebook or Instagram content data within the permissions you grant when connecting the integration.
• Google Business Profile API: tokens, location IDs, public reviews, business responses, and related metadata needed for monitoring and analytics of Google Reviews.
• Telegram MTProto: data from public channels, messages, links, and other information available through Telegram monitoring, subject to platform availability and applicable rules.
• VK API and YouTube Data API: community, channel, query, search result, and public content identifiers associated with the monitoring sources you configure.
• Hetzner: infrastructure hosting, compute resources, file storage, network perimeter, backups, and technical logs needed to host the service in EU-based infrastructure.

In addition to the providers above, we may disclose data to professional advisers, auditors, law enforcement, courts, or regulators where required by law, needed to investigate fraud or a security incident, or necessary to protect our legal rights. In every case, we aim to disclose only the minimum data reasonably necessary for the relevant purpose, and we do not allow providers to use your data for unrelated marketing purposes.

FleyRadar uses artificial intelligence models to analyze text, classify sentiment, identify topics, create digests, compute relevance, surface influencer signals, generate action briefs, and support copilot interactions. These features rely on probabilistic systems and statistical inference, which means outputs may be incomplete, imprecise, false positive, false negative, or otherwise imperfect.

We do not make solely automated decisions that produce legal effects on you or similarly significantly affect your rights and freedoms. AI Output in FleyRadar is intended to assist analysis and workflow, not to serve as a final mandatory determination. If you believe an automated result is incorrect or misleading, you may ask for additional review, clarification, or support, and you may manually adjust your workspace settings, filters, and taxonomy.

• AI providers receive only the content and metadata reasonably necessary for the specific prompt, batch job, or requested feature.
• We aim to use service terms and deployment modes under which customer inputs are not used to train the providers' general foundation models.
• Depending on the workflow, we may use short-lived caching, prompt retention for diagnostics, PII filtering, and other minimization steps before sending content to a model.
• You remain responsible for reviewing high-impact conclusions, especially where they may inform PR responses, escalation paths, legal evaluation, compliance, or commercial decision-making.

We continue to improve model routing, prompt design, and fallback logic, but we do not promise perfect AI accuracy. If applicable law gives you the right to object to profiling or request human involvement, you may exercise those rights by contacting us at privacy@fleylab.com.

Our primary storage and core processing for FleyRadar are hosted on infrastructure located in the European Union, including Hetzner-hosted systems and related application or database deployments. However, some of our AI and API providers are based in the United States or use globally distributed infrastructure. As a result, some personal data may be transferred outside your country or outside the EU when necessary to provide a feature that you choose to use.

When we organize an international transfer, we apply reasonable safeguards that are proportionate to the sensitivity and volume of the data involved. These safeguards may include Standard Contractual Clauses, confidentiality commitments, purpose limitation, encryption, data minimization, access segmentation, and supplier risk review.

• Primary workspace databases and application storage are hosted in the EU.
• Operational access to the service is managed from Azerbaijan on a limited need-to-know basis.
• AI requests and certain API interactions may temporarily involve providers outside the EU, including providers in the United States, where required for the enabled functionality.
• Where possible, we reduce context, remove unnecessary identifiers, or apply masking before transferring content.

By using integrations and AI features, you understand that certain cross-border transfers may be an inherent part of the service. If you require a data processing agreement, additional transfer commitments, or stricter localization controls, please contact us before enabling the relevant features.

We retain data only for as long as it is needed for the purposes for which it was collected, taking into account contractual requirements, legal obligations, plan-level retention settings, incident investigation needs, and backup cycles. After the relevant period ends, data is deleted, anonymized, archived, or made unavailable in active interfaces depending on the category and technical architecture involved.

• Account and profile data: retained until account deletion and, where necessary, for a limited period afterward to handle disputes, fraud prevention, and mandatory recordkeeping.
• Mentions, reviews, and monitoring results: retained according to your plan and retention settings, commonly 7, 30, or 365 days, after which they are automatically archived or removed from the active layer.
• WhatsApp Analytics data: raw text may be deleted immediately after processing if you enable that privacy setting; otherwise retention depends on your workspace settings and account lifecycle.
• OAuth tokens: retained until the integration is disconnected, expires, or access is revoked, after which the token is deleted or rendered technically unusable.
• Billing data: retained for as long as necessary for accounting, tax, audit, refunds, and subscription support; some of this data is retained by Paddle under its own policy.
• Security logs, access logs, and technical diagnostics: generally retained for up to 90 days unless a longer period is needed to investigate abuse, incidents, or legal disputes.
• AI cache, prompts, and temporary job artifacts: may be retained for as little as 6 hours and up to 7 days depending on queue design, retry settings, and diagnostic needs.
• Reports, brand settings, and exported files: retained until deleted by you, deleted with the workspace, or made unavailable after a downgrade that removes related storage or features.
• API keys: active keys are retained until revoked; only hashes and operational metadata are stored. Usage logs may remain within the broader logging retention window.
• Backups: retained for a limited disaster recovery cycle and then overwritten automatically.

If we are required by law to keep certain records longer, or if data is needed for a complaint, dispute, security review, or anti-abuse investigation, we may extend retention for the period reasonably necessary for that purpose. Once that need ends, the data will be deleted or appropriately restricted.

We maintain a combination of organizational, administrative, and technical safeguards designed to protect data against unauthorized access, disclosure, alteration, loss, and misuse. Our security approach is built around least privilege, access segmentation, encryption, logging, and regular review of platform and infrastructure configuration.

• Data in transit is protected by TLS/HTTPS.
• The frontend uses a Content Security Policy with nonce and strict-dynamic to limit unauthorized script execution.
• Supabase PostgreSQL is protected by Row Level Security; in our production configuration RLS covers 37 of 40 tables, while the remaining tables are protected by additional service-layer restrictions and access controls.
• OAuth tokens are encrypted with AES-256 before database storage.
• User API keys are stored as SHA-256 hashes and are not shown again in raw form after creation.
• Container and runtime environments use privilege restrictions, including no-new-privileges where applicable.
• We use Trusted Host validation, outbound request filtering, and SSRF protections in integration and crawler components.
• Critical endpoints and authentication flows are protected by rate limiting and related anti-abuse controls.
• Incoming webhooks are validated using HMAC verification or an equivalent signature check where supported by the provider.
• We do not embed ad trackers, third-party marketing pixels, or hidden behavioral profiling scripts in the user interface.

No security program can guarantee absolute protection. For that reason, we also ask you to use strong and unique passwords, avoid sharing credentials, revoke unused integrations, and notify us promptly if you suspect any compromise of your account or data.

If GDPR or similar privacy laws apply to your situation, you may have a number of rights regarding your personal data. The exact scope of those rights depends on your location, your relationship with us, and the nature of the processing. We do not discriminate against users for exercising lawful privacy rights.

• Right of access: you may request confirmation that we process your personal data and request a copy of that data.
• Right to rectification: you may ask us to correct inaccurate, incomplete, or outdated data.
• Right to erasure: you may ask us to delete your account and associated data; where technically applicable, deletion cascades across mentions, reports, imports, settings, and other workspace materials.
• Right to restriction: in some situations you may ask us to limit how we use data instead of deleting it.
• Right to portability: for certain data categories you may request an export in a structured format such as CSV.
• Right to object: you may object to processing based on legitimate interests where you have grounds related to your particular situation.
• Right to withdraw consent: if processing is based on consent, you may withdraw it at any time, for example by disconnecting an integration or requesting deletion of uploaded materials.
• Rights related to automated processing: you may request human review, express your point of view, or contest a result that you believe affects you through automated analysis.
• Right to complain: you may lodge a complaint with the competent supervisory authority in your place of residence, work, or the place of the alleged infringement.

To exercise your rights, contact us at privacy@fleylab.com. For security reasons, we may ask you to verify your identity, provide additional account details, or clarify the scope of your request. We generally respond within 30 days unless applicable law allows a different period or the request reasonably requires an extension because of complexity or volume.

We use a minimal set of first-party cookies and comparable technical mechanisms that are necessary for FleyRadar to function properly. We intentionally avoid advertising and behavioral trackers and we do not use Google Analytics, Meta Pixel, or similar tools designed for cross-site marketing profiling.

• Authentication and session cookies issued through Supabase help maintain login state, validate session integrity, and secure access to workspaces.
• Language preference cookies or equivalent local settings remember your selected interface language.
• Theme preference cookies or local settings remember your choice of light or dark mode.
• Short-lived technical values may be used during OAuth flows, anti-CSRF protections, redirect state checks, and similar security-related operations.
• Server logs and performance telemetry are not used for ad targeting and are not merged into third-party advertising profiles.

Most browsers let you manage cookies through their settings. If you block all technical cookies, some parts of the service, especially login, session continuity, and OAuth connections, may not function correctly. Because we do not use advertising cookies, we do not operate a marketing-cookie consent workflow like ad-funded consumer websites do.

FleyRadar is intended for businesses, marketing and PR teams, agencies, analysts, and other professional users. The service is not directed to children and is not intended for individuals under the age of 16. We do not ask for age confirmation in every workflow, but we assume that any person registering an account or using the platform on behalf of an organization meets the minimum age needed to enter into binding service terms.

We do not knowingly collect personal data from children under 16 as a target audience of the service. If you believe that a child provided us with personal data without appropriate authorization from a parent or legal guardian, please contact us. If we determine that such data was collected or received in violation of applicable law, we will take reasonable steps to delete it or otherwise restrict its processing.

• Accounts registered by users below the minimum permitted age may be suspended or deleted.
• If uploaded customer materials contain information about minors, the user uploading those materials is responsible for having an appropriate legal basis to do so.
• Where materials raise child privacy concerns, we may ask for additional information or refuse continued use of the relevant feature.

Because the service is built for B2B workflows and does not depend on advertising monetization, we do not build behavioral profiles of children or target them with marketing technology.

We do not sell personal data and we do not "share" personal data for cross-context behavioral advertising as those terms are used in laws such as the CCPA and CPRA. We do not run an advertising marketplace around user profiles, we do not exchange audiences with ad networks, and we do not provide your data to third parties in return for money or other consideration connected to targeted advertising.

Disclosures to our infrastructure, AI, authentication, billing, and integration providers are made only as service-provider disclosures needed to deliver the functionality you request. Those providers act as service providers or processors for the relevant data flows and do not receive permission to use your data for unrelated advertising purposes.

• We do not use Google Analytics, Meta Pixel, ad-tech exchanges, data management platforms, or similar advertising infrastructure.
• We do not give customer email lists to data brokers or enrich accounts with third-party advertising segments.
• We do not allow our infrastructure or AI providers to use your data for targeted ads aimed at you or your end users.

If you are a California resident or live in another jurisdiction with similar rights, you may contact us for additional information about how we classify our processing under local law. We will review such requests in good faith and without penalizing you for exercising lawful privacy rights.

We may update this Policy from time to time if FleyRadar changes, our integrations expand, the law evolves, or our security and data handling practices are revised. The current version will always be published on the relevant page of the service and the effective date will appear at the top of the document.

• For material changes, we generally provide notice at least 14 days before the changes take effect.
• Notice may be provided by email, in-product message, account banner, settings notice, or another reasonable communication method.
• If a change is required immediately to comply with law, address a security threat, or prevent abuse, it may take effect sooner, and we will notify you as far in advance as reasonably possible.

Your continued use of the service after an updated Policy becomes effective means that you have reviewed the revised terms to the extent permitted by applicable law. If you do not agree with the change, you should stop using the relevant features and, if necessary, delete your account.

We may retain archived versions or at least the effective-date history so that you can understand how our privacy practices have changed over time.

If you have questions about this Policy, about how we process your personal data, or if you want to exercise your rights, please contact us. We aim to respond to privacy requests without undue delay and, in the ordinary case, within 30 calendar days.

• Privacy contact: privacy@fleylab.com
• Legal contact: legal@fleylab.com
• Operator: FleyLab, Baku, Azerbaijan
• Standard response time for data subject requests: up to 30 days unless a shorter period is required by applicable law

To protect your account and data, we may ask for additional information to verify that you are authorized to make the request. If you contact us on behalf of an organization or another person, we may ask for proof of authority.

If you are dissatisfied with our response, you may contact the relevant supervisory authority or pursue another remedy available under applicable law.